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400  ARMY  NAVY  DRIVE 
ARLINGTON,  VIRGINIA  22202-4704 


November  3,  2009 


MEMORANDUM  FOR  NAVAL  INSPECTOR  GENERAL 

SUBJECT:  Information  Security  at  the  Fleet  and  Industrial  Supply  Center,  Sigonella, 
Detachment  Bahrain  (Report  No.  D-20 10-005) 


We  are  providing  this  report  for  review  and  comment.  This  is  the  first  in  a  series  of 
audits  on  Army  and  Navy  ship  maintenance  contracts.  We  considered  management 
comments  on  a  draft  of  this  report  when  preparing  the  final  report. 

DOD  Directive  7650.3  requires  that  all  recommendations  be  resolved  promptly.  We 
redirected  draft  Recommendation  1  .a  to  the  Director  of  Contracting,  Fleet  and  Industrial 
Supply  Center,  Sigonella,  Detachment  Naples  and  renumbered  it  as  Recommendation  2.c. 
We  added  a  new  Recommendation  1  .a,  which  is  directed  to  the  Special  Assistant  for  Naval 
Investigative  Matters  and  Security.  We  also  revised  Recommendation  l.b.  We  request  that 
the  Special  Assistant  for  Naval  Investigative  Matters  and  Security  respond  to 
Recommendation  l.a  and  l.b,  and  the  Director  of  Contracting,  Fleet  and  Industrial  Supply 
Center,  Sigonella,  Detachment  Naples,  respond  to  Recommendation  2.c  by  November  24, 
2009. 

If  possible,  please  send  a  .pdf  file  containing  your  comments  to  audacm@dodig.mil.  Copies 
of  the  management  comments  must  contain  the  actual  signature  of  the  authorizing  official. 
We  are  unable  to  accept  the  /Signed/  symbol  in  place  of  the  actual  signature.  If  you  arrange 
to  send  classified  comments  electronically,  you  must  send  them  over  the  SECRET  Internet 
Protocol  Router  Network  (SIPRNET). 

We  appreciate  the  courtesies  extended  to  the  staff.  Please  direct  questions  to  me  at  (703) 
604-9071  (DSN  664-9071). 


Deputy  Assistant  Inspector  General 
Acquisition  and  Contract  Management 
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Results  in  Brief:  Information  Security  at  the 
Fleet  and  Industrial  Supply  Center,  Sigonella, 
Detachment  Bahrain 


What  We  Did 

This  is  the  first  in  a  series  of  reports  on  Army 
and  Navy  ship  maintenance  contracts.  The 
overall  objective  was  to  determine  whether 
contracts  providing  ship  repair  and  maintenance 
to  the  U.S.  Army  operations  in  Kuwait  and 
Navy  operations  in  Bahrain  and  United  Arab 
Emirates  were  properly  managed  and 
administered.  We  are  issuing  this  report  in 
order  to  address  an  information  security  issue  at 
the  Fleet  and  Industrial  Supply  Center, 
Sigonella,  Detachment  Bahrain  (FISCSI  Det 
Bahrain).  Subsequent  reports  will  address  the 
audit  objective. 

What  We  Found 

We  identified  internal  control  weaknesses  in 
controlling  and  securing  classified  information 
at  FISCSI  Det  Bahrain. 

U.S.  Navy  personnel  did  not  follow  DOD 
Regulations  on  handling  classified 
documentation.  Specifically,  the  Office  of  the 
Chief  of  Naval  Operations  (CNO)  did  not 
correctly  mark  the  documents  with  a 
declassification  date,  and  FISCSI  Det  Bahrain 
personnel  stored  classified  documents  in 
unclassified  files  that  they  did  not  safeguard  or 
mark  properly. 

What  We  Recommend 

The  Special  Assistant  for  Naval  Investigative 
Matters  and  Security: 

•  determine  who  the  original 

classification  authority  is  and  provide 
this  information  to  FISCSI  Det  Bahrain 
and 


•  initiate  corrective  actions  to  ensure  that 
all  future  classified  documents  are 
properly  marked. 

The  Director  of  Contracting,  Fleet  and  Industrial 
Supply  Center,  Sigonella,  Detachment  Naples 
(FISCSI  Det  Naples)  ensure  that  FISCSI  Det 
Bahrain: 

•  provide  training  to  personnel  at  FISCSI 
Det  Bahrain  on  DOD  and  Navy 
information  security  policies  to  ensure 
that  personnel  know  how  to  handle 
classified  information, 

•  review  all  contract  files  to  ensure  that 
they  do  not  contain  classified 
information  and  documentation  and  take 
appropriate  action  to  control  and  secure 
any  classified  information  found,  and 

•  investigate  the  compromise  of  classified 
information 

Management  Comments  and 
Our  Responses 

The  Deputy  Assistant  Secretary  of  the  Navy 
(Management  and  Budget)  responded  for  the 
Special  Assistant  for  Naval  Investigative 
Matters  and  Security,  and  the  Director  of 
Contracting,  FISCSI  Det  Naples.  We  redirected 
and  renumbered  draft  Recommendation  l.a  to 
2.c.  We  added  a  new  Recommendation  1  .a  and 
revised  draft  Recommendation  l.b.  We  request 
that  the  Special  Assistant  for  Naval 
Investigative  Matters  and  Security  and  FISCSI 
Det  Naples  provide  comments  on  the  final 
report  by  November  24,  2009.  See  the 
recommendations  table  on  page  ii. 
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Introduction 

Objectives 

This  is  the  first  in  a  series  of  reports  on  Army  and  Navy  ship  maintenance  contracts.  The 
overall  objective  was  to  determine  whether  contracts  providing  ship  repair  and 
maintenance  to  the  U.S.  Army  operations  in  Kuwait  and  Navy  operations  in  Bahrain  and 
United  Arab  Emirates  were  properly  managed  and  administered.  The  audit  series  will 
include  reports  on  the  contracts  we  reviewed  in  the  Fleet  and  Industrial  Supply  Center, 
Sigonella,  Detachment  Bahrain  (FISCSI  Det  Bahrain);  U.S.  Naval  Sea  Systems 
Command;  and  the  U.S.  Army.  See  Appendix  A  for  a  discussion  of  our  scope  and 
methodology. 

The  audit  team  identified  an  information  security  issue  at  FISCSI  Det  Bahrain.  We 
issued  a  memorandum  (Appendix  B)  identifying  the  seriousness  of  this  issue  and  required 
action;  however,  FISCSI  Det  Bahrain  personnel  had  not  implemented  the  necessary 
improvements.  Although  the  original  objective  did  not  include  information  security,  we 
determined  that  further  notification  and  reporting  was  warranted.  The  potential  impacts 
of  not  protecting  classified  information  on  U.S.  national  security  are  severe.  We  are 
issuing  this  report  to  address  the  information  security  issues  at  FISCSI  Det  Bahrain  in  a 
timely  manner. 

Background 

The  Naval  Supply  Systems  Command 

The  Naval  Supply  Systems  Command  manages  supply  chains  that  provide  material  for 
Navy  aircraft,  surface  ships,  submarines,  and  their  associated  weapons  systems.  The 
Commander,  Fleet  and  Industrial  Supply  Centers  reports  to  the  Naval  Supply  Systems 
Command. 

Commander ,  Fleet  and  Industrial  Supply  Centers 

Under  the  Naval  Supply  Systems  Command;  the  Commander,  Fleet  and  Industrial  Supply 
Centers,  functions  as  a  global  provider  of  integrated  supply  and  support  services  to  fleet 
units  and  shore  activities.  The  Commander,  Fleet  and  Industrial  Supply  Centers,  is 
responsible  for  establishing  common  policies  and  procedures  of  the  worldwide  network 
of  the  seven  Fleet  and  Industrial  Supply  Centers,  including  the  Fleet  and  Industrial 
Supply  Center,  Sigonella,  Italy. 

Fleet  and  Industrial  Supply  Center,  Sigonella 

The  Fleet  and  Industrial  Supply  Center,  Sigonella  (FISCSI)  is  located  at  the  Naval  Air 
Station  Sigonella,  Italy,  and  provides  logistics,  business,  and  support  services  to  the 
Navy,  Coast  Guard,  and  Military  Sealift  Command,  as  well  as  other  joint  forces.  FISCSI 
delivers  direct  logistical  support  to  various  locations  including  Dubai  and  Jebel  Ali  within 
the  Emirate  of  Dubai  and  Bahrain.  FISCSI  oversees  the  FISCSI,  Detachment  Naples 
(FISCSI  Det  Naples). 
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FISCSI  Det  Naples 

FISCSI  Det  Naples  has  detachments  in  London,  Bahrain,  and  the  Emirate  of  Dubai 
to  provide  contracting  support  for  U.S.  forces  throughout  Europe,  the  Mediterranean, 
Africa,  and  Southwest  Asia. 

FISCSI  Det  Bahrain 

FISCSI  Det  Bahrain  is  located  at  the  Naval  Support  Activity  in  Manama,  Bahrain.  The 
mission  of  FISCSI  Det  Bahrain  is  to  provide  fleet  support  for  U.S  Navy,  Military  Sealift, 
and  Coast  Guards  ships  operating  in  the  5th  Fleet  area  of  responsibility  as  well  as  base 
support  for  naval  installations  in  the  Middle  East.  FISCSI  Det  Bahrain  reports  to  FISCSI 
Det  Naples.  The  workforce  at  FISCSI  Det  Bahrain  consists  of  3  military  service 
members,  5  U.S.  civilians,  and  12  foreign  nationals.  FISCSI  Det  Bahrain  administers 
some  of  the  Navy  contracts  in  our  audit  sample. 

Review  of  Internal  Controls 

DOD  Instruction  5010.40,  “Managers’  Internal  Control  (MIC)  Program  Procedures,” 
January  4,  2006,  requires  DOD  organizations  to  implement  a  comprehensive  system  of 
internal  controls  that  provides  reasonable  assurance  that  programs  are  operating  as 
intended  and  to  evaluate  the  effectiveness  of  the  controls.  We  determined  that  FISCSI 
Det  Bahrain  did  not  have  adequate  internal  controls  for  controlling  and  securing 
classified  information.  Implementing  the  recommendations  in  the  Finding  will  help  to 
prevent  compromising  classified  information  at  FISCSI  Det  Bahrain.  We  will  provide  a 
copy  of  the  report  to  the  senior  official  responsible  for  internal  controls  at  Naval  Supply 
Systems  Command,  FISCSI  Det  Naples,  and  to  the  Special  Assistant  for  Naval 
Investigative  Matters  and  Security. 
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Finding.  Classified  Information  in  the  Fleet 
and  Industrial  Supply  Center,  Sigonella, 
Detachment  Bahrain 

FISCSI  Det  Bahrain  personnel  stored  classified  documents  in  unclassified  files  that  they 
did  not  safeguard  or  mark  properly  because  FISCSI  Det  Bahrain  personnel  did  not  follow 
DOD  Regulations  on  handling  classified  information.  In  addition,  Chief  of  Naval 
Operations  (CNO)  officials  did  not  properly  mark  the  documents  with  a  declassification 
date.  As  a  result,  foreign  nationals  and  other  employees  had  access  to  classified 
information.  Unauthorized  access  to  classified  documentation  can  compromise  national 
security  and  increase  risk  to  the  warfighter. 

Safeguarding  of  Classified  Information 

DOD  Regulation  5200. 1-R,  “Information  Security  Program,”  January  1997  states  that 
everyone  granted  access  to  classified  information  is  responsible  for  properly  protecting 
information  in  their  possession  or  control.  The  Regulation  states  that  we  must  protect 
classified  information  at  all  times  by  storing  it  in  an  approved  device  or  facility  or  in  the 
possession  of  an  authorized  individual. 

FISCSI  Det  Bahrain  officials  provided  the  contract  files  for  contracts  N49400-03-H- 
A005-5024  and  N49400-04-H-A50 1-6098  on  May  25,  2009.  According  to  FISCSI  Det 
Bahrain  contracting  officials,  they  retrieved  the  contract  files  from  an  unsecured  storage 
facility  and  placed  them  in  the  unsecured  conference  room.  The  contract  files  provided 
to  us  were  issued  from  FY  2004  through  FY  2009.  The  Deputy  Officer  In  Charge, 
FISCSI  Det  Bahrain,  stated  that  none  of  the  contract  files  were  locked  in  an  approved 
container  or  storage  facility  because  the  contracts  were  unclassified. 

On  May  28,  2009,  we  found  a  CNO  memorandum  and  an  e-mail  classified 
Confidential/NOFORN  (not  releasable  to  foreign  nationals)  in  contract  file  N49400-03- 
H-A005-5024.  When  we  discovered  the  items,  we  attempted  to  inform  the  Officer  in 
Charge,  FISCSI  Det  Bahrain.  However,  he  was  not  available,  so  we  informed  the  FISCSI 
Det  Bahrain  legal  counsel.  The  legal  counsel  stated  that  FISCSI  Det  Bahrain  personnel 
would  review  the  contract  file  page  by  page  and  start  an  investigation  into  the  matter. 
FISCSI  Det  Bahrain  officials  secured  the  contract  file  N49400-03-H-A005-5024  in  a 
safe. 

On  May  31,  2009,  we  discovered  another  CNO  memorandum  and  an  e-mail  classified 
Confidential/NOFORN  in  contract  file  N49400-04-H-A50 1-6098.  We  again  informed 
the  FISCSI  Det  Bahrain  legal  counsel  and  the  Officer  in  Charge,  FISCSI  Det  Bahrain. 

We  provided  them  with  the  entire  contract  file  for  their  review.  FISCSI  Det  Bahrain 
secured  the  classified  documentation  in  contract  file  N49400-04-H-A50 1-6098  in  a  room 
with  a  lock  on  the  door. 
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FISCSI  Det  Bahrain  personnel  stated  that  the  documentation  we  discovered  is  old,  may 
be  declassified,  and  is  public  knowledge.  We  informed  the  FISCSI  Det  Bahrain  Officer 
in  Charge  that  FISCSI  Det  Bahrain  should  still  treat  the  documents  as  classified 
information  because  there  was  not  a  date  for  declassification  on  the  documents. 
Additionally,  the  FISCSI  Det  Bahrain  Officer  in  Charge  did  not  create  the  documents  and 
does  not  have  the  authority  to  determine  if  the  documents  should  be  declassified.  The 
processes  and  procedures  FISCSI  Det  Bahrain  personnel  use  to  secure  and  protect 
classified  information  are  ineffective.  Unless  Navy  officials  identify  and  correct  the 
faults  in  those  procedures,  we  believe  that  similar  failures  will  happen  in  the  future, 
which  could  jeopardize  U.S.  national  security. 

We  obtained  a  copy  of  the  memorandum  and  e-mails  included  in  contract  file  N49400- 
04-H-A501-6098.  Although  we  requested  a  copy  of  the  classified  documents  in  contract 
file  N49400-03-H-A005-5024  several  times,  the  FISCSI  Det  Bahrain  Command  Security 
Officer  shredded  the  classified  documents  without  providing  us  a  copy  for  our  audit 
documentation  review  and  analysis. 

Marking  of  Classified  Information 

The  CNO  issuing  official  and  FISCSI  Det  Bahrain  officials  did  not  properly  mark  the 
classified  memoranda  and  e-mails  with  a  declassification  date  or  identify  the  source  of 
classification  of  the  information  in  the  document.  DOD  5200. 1-R  requires  markings  that 
include  a  declassification  date  and  identify  the  source  of  the  classified  information. 

Because  CNO  officials  issued  the  memoranda,  they  were  responsible  for  correctly 
marking  them.  CNO  officials  did  not  mark  the  memoranda;  therefore,  we  could  not 
determine  who  the  original  classification  authority  was  for  declassifying  the  information. 
DOD  5200. 1-R  states  that  the  Secretary  of  Defense,  the  Secretaries  of  the  Military 
Departments,  and  the  designated  original  classification  authority  are  the  only  personnel 
that  can  declassify  information. 

We  reviewed  the  e-mails  included  with  the  memorandum  in  contract  file  N49400-04-H- 
A50 1-6098  and  determined  that  FISCSI  Det  Bahrain  did  not  properly  mark  the  e-mails. 
One  e-mail  contained  “derived  from”  and  “declassify  on”  information.  However,  Navy 
personnel  did  not  properly  mark  the  forwarding  e-mails.  In  addition,  we  could  not 
determine  whether  the  Navy  personnel  on  the  e-mails  sent  them  on  a  secure  network. 

Access  to  Classified  Information 

FISCSI  Det  Bahrain  has  many  foreign  nationals  working  in  its  contracting  office. 

Because  the  documents  we  found  were  marked  “Confidential/NOFORN,”  foreign 
nationals  should  not  have  access  to  these  documents.  In  the  contract  file  for  N49400-04- 
H-A50 1-6098,  we  found  modifications  signed  by  a  contracting  official  that  is  a  foreign 
national.  We  determined  that  because  a  foreign  national  signed  the  contract 
modifications,  they  had  access  to  the  classified  documentation  included  in  that  file. 
Therefore,  the  classified  information  is  potentially  compromised. 
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DOD  5200. 1-R  states  that  when  an  actual  or  potential  compromise  of  classified 
information  occurs,  the  head  of  the  activity  or  activity  security  manager  should  promptly 
initiate  an  inquiry  into  the  incident.  According  to  the  Secretary  of  the  Navy  Manual 
5510.36,  “Department  of  the  Navy  Information  Security  Program,”  June  2006,  when  a 
compromise  of  classified  information  occurs,  the  commanding  officer  or  security 
manager  should  initiate  a  preliminary  inquiry  within  72  hours  of  the  incident.  If  it  is 
determined  during  the  preliminary  inquiry  that  a  compromise  of  classified  information 
occurred,  the  commanding  officer  or  security  manager  should  contact  the  local  Naval 
Criminal  Investigative  Service  office  in  a  timely  manner.  Once  we  notified  the  Officer  in 
Charge,  FISCSI  Det  Bahrain  that  we  found  the  classified  information,  he  should  have 
initiated  an  inquiry  into  the  incident  and  informed  the  Naval  Criminal  Investigative 
Service.  However,  FISCSI  Det  Bahrain  officials  did  not  initiate  an  inquiry  into  the 
incident  and  did  not  notify  the  Naval  Criminal  Investigative  Service. 

During  our  exit  briefing  on  June  4,  2009,  we  again  informed  the  Officer  in  Charge, 
FISCSI  Det  Bahrain,  that  he  needed  to  take  action  to  secure  this  information  and  to 
reduce  the  risk  of  future  security  issues. 

On  July  17,  2009,  we  issued  an  action  memorandum  to  FISCSI  Det  Naples  with  a  copy  to 
the  Special  Assistant  for  Naval  Investigative  Matters  and  Security  (Appendix  B).  We 
recommended  that  FISCSI  Det  Naples  personnel  initiate  an  inquiry  into  this  issue  in 
accordance  with  DOD  Regulation  5200. 1-R  and  that  they  inform  us  of  the  actions  taken 
to  address  the  issue. 

On  July  28,  2009,  we  received  a  memorandum  from  the  FISCSI  Det  Bahrain  Command 
Security  Officer  stating  that  the  Regional  Security  Director  in  Sigonella  gave  him 
permission  to  destroy  the  documents  because  the  documents  were  nearly  4  years  old  and 
all  of  the  information  contained  in  each  document  is  now  public  knowledge.  The 
Command  Security  Officer  stated  in  the  memorandum  that  the  documents  were  destroyed 
on  July  7,  2009,  in  accordance  with  the  instructions  of  the  Regional  Security  Director. 

Management  Actions 

FISCSI  Det  Bahrain  officials  took  minimal  action  to  train  personnel  on  the  proper 
handling  of  classified  information.  According  to  the  FISCSI  Det  Bahrain  Officer  in 
Charge,  FISCSI  Det  Bahrain  officials  are  developing  a  policy  on  handling  classified 
information  but  have  not  scheduled  any  corrective  training.  The  Officer  in  Charge  stated 
that  they  reviewed  the  two  contract  files  containing  the  documents  to  ensure  that  they  did 
not  contain  classified  documentation  but  did  not  check  the  other  contract  files  in  storage. 

After  we  issued  the  action  memorandum,  the  Special  Assistant  for  Naval  Investigative 
Matters  and  Security,  CNO,  ordered  a  preliminary  inquiry  into  this  compromise  of 
information.  The  Special  Assistant  for  Naval  Investigative  Matters  and  Security 
determined  that  the  preliminary  inquiry  completed  by  the  FISCSI  Det  Bahrain  Command 
Security  Officer  was  insufficient  and  asked  the  Security  Officer  to  complete  it  again. 
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Conclusion 

We  discovered  classified  documents  that  FISCSI  Det  Bahrain  did  not  safeguard,  which 
included  e-mails  FISCSI  Det  Bahrain  officials  did  not  mark.  We  determined  that  foreign 
national(s)  had  access  to  the  classified  documents,  which  constitutes  a  possible 
compromise  of  classified  information.  FISCSI  Det  Bahrain  must  investigate  this 
compromise.  In  addition,  FISCSI  Det  Bahrain  officials  should  provide  training  on  the 
handling  of  classified  information.  In  order  to  ensure  that  other  FISCSI  Det  Bahrain 
contract  files  do  not  contain  classified  documentation,  FISCSI  Det  Bahrain  personnel 
should  review  all  files  that  are  under  their  control.  The  classified  documentation  we 
discovered  includes  memoranda  that  CNO  officials  did  not  mark  As  a  result,  the  Special 
Assistant  for  Naval  Investigative  Matters  and  Security  needs  to  investigate  the  lack  of 
markings  on  the  CNO  memoranda  to  determine  why  they  were  not  marked  to  keep  it 
from  happening  in  the  future. 

Management  Comments  on  the  Finding  and  Our 
Response 

Director  of  Contracting,  Fleet  and  Industrial  Supply  Center, 
Sigonella,  Detachment  Naples  Comments 

The  Deputy  Assistant  Secretary  of  the  Navy  (Management  and  Budget)  (DASN  [M&B]), 
responding  for  the  Director  of  Contracting,  FISCSI  Det  Naples,  agreed  with  the  Finding. 
He  stated  that  the  classified  information  in  the  contract  file  was  stored  incorrectly  and 
was  unnecessarily  included  in  the  contract  file.  The  DASN  (M&B)  also  explained  that 
FISCSI  Det  Bahrain  does  not  award  or  work  with  classified  contracts. 

Our  Response 

We  commend  the  DASN  (M&B)  for  acknowledging  that  the  classified  information  in  the 
contract  file  was  stored  incorrectly  and  was  unnecessarily  included  in  the  contract  file. 
We  appreciate  his  explanation  that  FICSI  Det  Bahrain  does  not  award  or  work  with 
classified  documents. 

Recommendations,  Management  Comments,  and  Our 
Response 

Revised,  Redirected,  Renumbered,  and  Added  Recommendations.  As  a  result  of 
comments  from  the  DASN  (M&B),  we  revised,  redirected,  and  renumbered  draft 
Recommendation  l.a.  to  Recommendation  2.c.  We  directed  Recommendation  2.c  to  the 
Director  of  Contracting,  FISCSI  Det  Naples,  to  reflect  who  is  responsible  for  performing 
the  investigation.  We  added  new  Recommendation  l.a  directed  to  the  Special  Assistant 
for  Naval  Investigative  Matters  and  Security  to  determine  the  original  classification 
authority  for  the  memoranda  so  that  the  original  classification  authority  can  perform  a 
damage  assessment.  In  addition,  because  CNO  issued  classified  memoranda,  we  revised 
Recommendation  l.b  to  the  Special  Assistant  for  Naval  Investigative  Matters  and 
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Security  to  initiate  corrective  actions  that  will  ensure  that  all  classified  information  is 
properly  marked. 

1.  We  recommend  that  the  Special  Assistant  for  Naval  Investigative  Matters  and 
Security: 

a.  Determine  who  the  original  classification  authority  for  the  unmarked  Chief  of 
Naval  Operations  memoranda  is  and  coordinate  with  the  Fleet  and  Industrial 
Supply  Center,  Sigonella,  Detachment  Naples  so  the  original  classification  authority 
can  conduct  the  damage  assessment. 

b.  When  Recommendation  l.a  is  complete,  initiate  corrective  actions  to  ensure 
that  all  future  classified  documents  are  properly  marked. 

Special  Assistant  for  Naval  Investigative  Matters  and  Security 
Comments 

The  DASN  (M&B),  responding  for  the  Special  Assistant  for  Naval  Investigative  Matters 
and  Security,  agreed  with  Recommendations  l.a  and  l.b.  However,  the  DASN  (M&B) 
stated  that  CNO  provides  implementing  policy  in  the  Department  of  the  Navy.  He 
further  stated  that  CNO  is  not  responsible  for  conducting  an  investigation  into  the 
potential  compromise  of  classified  material  and  determining  its  effect  on  national 
security.  The  DASN  (M&B)  also  stated  that  the  original  classification  authority  should 
conduct  the  damage  assessment. 

The  DASN  (M&B)  stated  that  CNO  agrees  with  the  Finding  that  the  documents  were 
incorrectly  marked.  He  further  stated  that  CNO  conducted  a  preliminary  review  of  the 
classified  documents  in  question.  The  DASN  (M&B)  also  stated  that  CNO  asserted  that 
the  classified  documents  in  question  were  declassified  as  soon  as  the  host  nation  was 
notified  in  September  2005.  In  addition,  he  stated  that  on  May  7,  2009,  CNO  generated 
interim  guidance  across  the  Department  of  the  Navy  commands  regarding  the  proper 
marking  of  classified  documents  and  instructed  them  to  conduct  a  random  sampling  of 
originally  and  derivatively  generated  documents.  Finally,  the  DASN  (M&B)  stated  that 
the  CNO  annual  Security  Manager’s  Seminar  emphasizes  proper  marking  of  classified 
documents,  including  e-mails. 

Our  Response 

We  could  not  determine  the  original  classification  authority  for  the  information. 
According  to  DOD  5200. 1-R,  the  original  classification  authority  is  responsible  for 
performing  a  damage  assessment.  Because  CNO  issued  the  memoranda  that  were  not 
marked,  we  are  asking  the  Special  Assistant  for  Naval  Investigative  Matters  and  Security 
to  determine  who  the  original  classification  authority  for  the  memoranda  was  so  the 
original  classification  authority  can  perform  a  damage  assessment.  We  revised 
Recommendation  l.b  to  initiate  corrective  actions  once  Recommendation  l.a  is  complete. 
We  request  that  the  Special  Assistant  for  Naval  Investigative  Matters  and  Security 
provide  comments  on  the  new  Recommendation  l.a  and  revised  Recommendation  l.b. 
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2.  We  recommend  that  the  Director  of  Contracting,  Fleet  and  Industrial  Supply 
Center,  Sigonella,  Detachment  Naples  ensure  that  the  Fleet  and  Industrial  Supply 
Center,  Sigonella,  Detachment  Bahrain: 

a.  Provide  training  to  personnel  in  the  Fleet  and  Industrial  Supply  Center, 
Sigonella,  Detachment  Bahrain  on  DOD  and  Navy  information  security  policies  to 
ensure  that  personnel  know  how  to  handle  classified  information. 

b.  Review  all  contract  files  to  ensure  that  they  do  not  contain  classified 
information. 

c.  Investigate  this  potential  compromise  of  classified  information. 


Director  of  Contracting ,  Fleet  and  Industrial  Supply  Center, 
Sigonella,  Detachment  Naples  Comments 

The  DASN  (M&B),  responding  for  the  Director  of  Contracting  FISCSI  Det  Naples, 
agreed  with  Recommendations  2. a  and  2.b.  The  DASN  (M&B)  stated  that  the  FISCSI 
Assistant  Security  Officer  conducted  training  on  the  proper  handling  of  classified 
information  and  DOD  and  Department  of  the  Navy  information  security  policies  on 
August  10,  2009.  In  addition,  the  DASN  (M&B)  stated  that  the  FISCSI  Det  Bahrain 
Security  Manager  provided  training  on  the  proper  handling  of  sensitive  information  on 
September  15,  2009.  He  further  stated  that  FISCSI  Det  Bahrain  schedules  security 
training  monthly  and  holds  a  security  discussion  during  weekly  meetings. 

The  DASN  (M&B)  stated  that  U.S.  Government  staff  with  appropriate  clearances  began 
reviewing  contract  files  starting  with  the  ship  repair  and  military  exercise  contracts 
because  they  have  the  most  potential  to  contain  classified  documentation.  The  DASN 
(M&B)  also  stated  that  they  will  review  all  contracts  starting  with  the  most  recent.  He 
further  stated  that  historic  contract  files  are  properly  stored  and  only  authorized 
individuals  can  access  the  files.  The  DASN  (M&B)  stated  that  FISCSI  Det  Bahrain  has 
two  Navy  reservists  reviewing  the  contract  files  and  requested  additional  support.  He 
also  stated  that  FISCSI  Det  Bahrain  target  completion  date  for  reviewing  all  contract  files 
is  February  28,  2010. 

In  additional  comments,  the  DASN  (M&B)  stated  that  the  contracts  containing  the 
classified  memoranda  were  immediately  stored  in  an  approved  storage  location.  The 
DASN  (M&B)  also  stated  that  FISCSI  is  unable  to  respond  to  the  assertion  that  CNO 
incorrectly  marked  the  classified  documentation  and  that  the  FISCSI  Det  Bahrain 
ongoing  investigation  will  attempt  to  determine  at  what  point  these  documents  were 
stored  in  the  unclassified  contract  files. 

Our  Response 

FISCSI  Det  Naples  should  provide  the  results  of  its  review  of  all  contract  files  to  the 
DOD  Office  of  Inspector  General  upon  completion  in  February  2010.  As  a  result  of  the 


8 


DASN  (M&B)  comments;  we  revised  and  renumbered  draft  Recommendation  l.a  to  2.c. 
We  also  redirected  Recommendation  2.c  to  FISCSI  Det  Naples  because  it  is  the 
command’s  responsibility  to  investigate  the  compromise  of  information.  FISCSI  should 
also  expand  its  investigation  to  include  how  and  when  the  classified  documentation  ended 
up  in  the  contract  fde.  We  request  that  FISCSI  Det  Naples  personnel  provide  us  the 
results  of  their  investigation.  We  request  that  the  Director  of  Contracting,  FISCSI  Det 
Naples  provide  comments  on  Recommendation  2.c. 
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Appendix  A.  Scope  and  Methodology 

We  conducted  this  performance  audit  from  March  2009  through  September  2009  in 
accordance  with  generally  accepted  government  auditing  standards.  Those  standards 
require  that  we  plan  and  perform  the  audit  to  obtain  sufficient,  appropriate  evidence  to 
provide  a  reasonable  basis  for  our  findings  and  conclusions  based  on  our  audit  objectives. 
We  believe  that  the  evidence  obtained  provides  a  reasonable  basis  for  our  findings  and 
conclusions  based  on  our  audit  objectives. 

This  is  the  first  in  a  series  of  reports  on  Army  and  Navy  ship  maintenance  contracts.  We 
announced  this  audit  in  March  2009  and  judgmentally  selected  17  FISCSI  Det  Bahrain 
contracts,  15  Army  contracts,  and  7  Naval  Sea  Systems  Command  technical  instructions, 
valued  at  $96,839,887.  We  selected  this  sample  from  a  universe  of  2,934  contracts 
valued  at  $171,901,765.  We  visited  FISCSI  Det  Bahrain  in  Manama,  Bahrain,  from  May 
25  to  June  4,  2009.  The  results  of  the  review  of  these  contracts  are  not  included  in  this 
report,  but  follow  on  reports  will  address  issues  regarding  these  contracts. 

We  intend  to  meet  the  stated  objective  in  the  follow  on  audit  projects.  The  scope  of  this 
project  is  limited  to  the  information  security  issues  we  discovered  at  FISCSI  Det  Bahrain. 
We  will  issue  a  separate  report  on  our  review  of  the  contract  files  at  FISCSI  Det  Bahrain 
in  Project  No.  D2009-D000AS-163.002. 

For  this  report,  we  reviewed  classified  guidelines  contained  in  DOD  Regulation  5200. 1-R 
and  the  Secretary  of  the  Navy  Manual  5510.36.  We  also  interviewed  officials  at  FISCSI 
Det  Bahrain,  officials  at  FISCSI  Det  Naples,  and  the  Special  Assistant  for  Naval 
Investigative  Matters  and  Security. 

Use  of  Computer-Processed  Data 

We  used  computer-processed  data  from  the  Federal  Procurement  Data  System-Next 
Generation  to  help  choose  our  judgmental  sample  of  task  orders  for  the  audit.  However, 
we  did  not  rely  on  this  data  to  support  this  Finding.  Therefore,  we  did  not  perform  a 
reliability  assessment  of  the  computer-processed  data. 

Prior  Coverage 

No  prior  coverage  has  been  conducted  on  classification  issues  in  FISCSI  Det  Bahrain 
during  the  last  5  years. 
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Appendix  B.  Action  Memorandum  to  Fleet 
and  Industrial  Supply  Center,  Sigonella, 


Detachment  Naples 


INSPECTOR  GENERAL 
DEPARTMENT  OF  DEFENSE 
400  ARMY  NAVY  DRIVE 
ARLINGTON,  VIRGINIA  22202^1704 


MEMORANDUM  FOR  DIRECTOR,  FLEET  AND  INDUSTRIAL  SUPPLY  CENTER 
SIGONELLA,  NAVAL  REGIONAL  CONTRACTING 
DETACHMENT,  NAPLES 

SUBJECT:  Information  Security  Issue  Identified  During  the  Audit  of  Army  and  Navy  Small 
Boats  Maintenance  Projects  (Project  No.  D2009-D000AS-0 163.000)  (U) 

lugeraajln  accordance  with  DoD  Regulation  5200. 1-R  “Information  Security  Program,” 
dated  January  1997,  chapter  10,  we  are  notifying  Fleet  and  Industrial  Supply  Center  (FISC) 
Sigonella  Naval  Regional  Contracting  Detachment  Naples  about  a  potential  compromise  of 
classified  information.  This  could  present  a  threat  to  national  security. 

During  fieldwork  in  Manama,  Bahrain,  from  May  22  to  June  5, 2009,  we  visited 
FISC,  Bahrain  to  review  a  sample  of  contracting  files  and  found  classified  documentation  in  two 
contracting  files.  In  one  file,  we  found  an  Office  of  the  Chief  of  Naval  Operations  (CNO) 
memorandum,  dated  June  21,  2005,  which  is  classified  “Confidential/NOFORN”  with  an  e-mail 
attached  with  the  same  marking.  The  other  file  also  contained  a  CNO  memorandum.  FISC 
provided  the  files  to  us  in  an  unsecure  conference  room  and  had  stored  them  in  an  unsecure 
facility.  In  addition,  third-country  nationals  had  access  to  this  documentation,  as  they  had  signed 
off  on  information  in  the  contracting  files.  The  Navy  did  not  properly  mark  the  document  with  a 
declassification  date.  We  informed  the  Commander,  FISC,  Bahrain  of  the  release  of  this 
information;  we  were  not  satisfied  that  he  took  appropriate  action  to  immediately  secure  the 
information.  DoD  Regulation  5200. 1-R  provides  guidance  on  proper  storage,  marking,  and 
investigation  of  the  possible  compromise  of  classified  information. 

^uijQn  at  least  two  subsequent  occasions,  we  have  requested  the  status  of  actions 
taken  and  have  not  received  satisfactory  answers.  We  recommend  that  FISC  Sigonella  Naval 
Regional  Contracting  Detachment  Naples  initiate  an  inquiry  into  this  issue  in  accordance  with 
DoD  Regulation  5200. 1-R.  We  request  that  FISC  Sigonella  Naval  Regional  Contracting 
Detachment  Naples  inform  us  of  the  actions  taken  to  address  the  issue. 

We  appreciate  your  immediate  action  on  this  matter.  Please  respond  to  I 


n  the  actions  taken  to 


address  the  issue. 


Richard  B.  Jolliffe 
Assistant  Inspector  General 
Acquisition  and  Contract  Management 


cc:  Special  Assistant  For  Naval  Investigative  Matters  And  Security 


Office  of  the  Assistant  Secretary  of  the  Navy  (Research, 
Development  and  Acquisition)  Comments 


DEPARTMENT  OF  THE  NAVY 

OFFICE  OF  THE  ASSISTANT  SECRETARY 
(RESEARCH,  DEVELOPMENT  AND  ACQUISITION) 

1000  NAVY  PENTAGON 
WASHINGTON  DC  20350-1000 

October  6*  2009 

MEMORANDUM  FOR  DEPARTMENT  OF  DEFENSE-INSPECTOR  GENERAL 
ARLINGTON,  VIRGINIA 

SUBJECT:  Department  of  Defense  Inspector  General  Draft  Rcpon  Information  Security 
at  the  Fleet  and  Industrial  Supply  Center,  SigoneJJa,  Detachment  Bahrain 
(Project  No,  D2O09-D000 AS -01 63.000) 

The  Department  of  the  Navy  (DoN)  hereby  endorses  and  forwards  the  attached 
Naval  Supply  Systems  Command  response  to  subject  draft  report.  The  response  provides 
detailed  comments  regarding  the  findings  and  recommendations  contained  in  the  subject 
draft  report.  The  Navy's  response  should  be  incorporated  into  the  final  DODIG  report. 

If  you  have  any  questions  pertaining  to  this  memo  or  its  attachments,  please  refer 


C*PT,  SQ  USN 

^Deputy  Assistant  Secretary  of  the  Navy 
(Management  and  Budget) 

Attachments: 

As  stated 
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NAVY  COMMENTS  TO  DODIG  DRAFT  REPORT  OF  10  SEPTEMBER  2009 
ON  INFORMATION  SECURITY  AT  THE  FLEET  AND  INDUSTRIAL  SUPPLY 
CENTER,  SIGONELLA  DETACHMENT  BAHRAIN 
( D2  0  09 - DO  0  0AS - 0 1 6  3 . 000) 


Finding  It  Classified  Information  in  the  Fleet  and 

Industrial  Supply  Center,  Detachment  Bahrain 

Fleet  and  Industrial  Supply  Center,  Sigonella  (FI SCSI) , 
Detachment  Bahrain  personnel  stored  classified  documents  in 
unclassified  files  that  they  did  not  safeguard  or  mark  properly 
because  FI SCSI  Detachment  Bahrain  personnel  did  not  follow  DOD 
Regulations  on  handling  classified  information-  In  addition, 
Chief  of  Naval  Operations  (CNO)  officials  did  not  properly  mark 
the  documents  with  a  declassification  date.  As  a  result, 
foreign  nationals  and  other  employees  had  access  to  classified 
information.  Unauthorized  access  to  classified  documentation 
can  compromise  national  security  and  increase  risk  to  the  war 
f ighter . 

DON  Response:  Concur.  The  classified  memorandum  was  incorrectly 
filed  in  the  contract  file.  This  classified  memorandum  was  not 
necessary  for  the  specific  contract  and  did  not  need  to  be  kept 
in  the  contract  file.  FISCSI  Detachment  Bahrain  does  not  award 
classified  contracts,  nor  do  they  work  with  any  classified 
contracts . 

Recommendations : 

2.  We  recommended  that  the  Director  of  Contracting,  Fleet  and 
Industrial  Supply  Center  Sigonella  Regional  Naval  Regional 
Contracting  Detachment  Naples  ensure  that  the  Fleet  and 
Industrial  Supply  Center  Sigonella  Detachment  Bahrain: 

a.  Provide  training  to  personnel  in  the  Fleet  and 
Industrial  Supply  Center  Bahrain  on  DOD  and  Navy  information 
security  policies  to  ensure  that  personnel  know  how  to  handle 
classified  information. 

DON  Response*  Concur.  The  Fleet  and  Industrial  Supply  Center, 
Sigonella  (FISCSI)  Assistant  Security  Officer  conducted  training 
on  10  August  2009,  on  the  proper  handling  of  classified 
information  and  DOD/DON  information  security  policies.  The 
FISCSI  Detachment  Bahrain  Security  Manager  conducted  training  on 
15  September  2009,  on  the  proper  handling  of  sensitive 
information.  Security  training  is  scheduled  monthly  to  stress 

Endosure(l) 
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the  importance  of  safeguarding  classified  information.  In 
addition,  a  security  reminder /discus si on  is  provided  during 
weekly  Work-in-Process  (NIP)  meetings.  Action  is  considered 
complete  for  reporting  purposes . 

b,  Review  all  contract  files  to  ensure  that  they  do  not 
contain  classified  information. 

DON  Response:  Concur.  United  States  Government  staff  (with 
appropriate  clearance}  have  started  reviewing  the  contract 
files,  beginning  with  those  with  the  greatest  potential  of 
containing  misfiled  classified  documents  -  ship  repair  contracts 
and  contracts  supporting  military  exercises.  Contracts  awarded 
most  recently  will  be  reviewed  first,  followed  by  older 
contracts,  until  all  have  been  reviewed. 

Historic  contract  files  in  storage  have  been  properly  secured 
and  can  only  be  accessed  by  individuals  with  appropriate 
clearance.  As  required,  contract  files  needing  to  be  removed 
from  storage  will  be  reviewed  by  cleared  individuals  for 
classified  material  before  release  to  uncleared  entities  or 
individuals . 

FISCSI  Detachment  Bahrain  currently  has  two  U.S.  Navy  Reservists 
assisting  in  the  review  of  the  contract  files,  and  has  requested 
additional  Reserve  support  for  the  upcoming  months.  Based  on 
workload  and  the  quantity  of  contract  files  in  inventory,  our 
estimated  target  completion  date  for  reviewing  all  contract 
files  is  28  February  2010. 

Additional  Comments: 

Upon  discovery  of  the  classified  memos,  the  contract  files  were 
immediately  secured  in  an  approved  storage  location,  FISCSI 
Detachment  Bahrain/ s  Secure  Internet  Protocol  Router  Network 
(SIPRNET)  room,  which  is  certified  to  store  documents  up  to 
SECRET  classification. 

FISC  Signonella  is  unable  to  respond  to  the  assertions  that  CNO 
mismarked  the  classified  documents,  as  FISCSI  is  not  the 
Original  Classifying  Authority,  (OCA} .  The  FISCSI  Detachment 
Bahrain  ongoing  investigation  will  attempt  to  determine  at  what 
point  these  classified  documents  were  stowed  in  the  unclassified 
contract  files. 


Enclosure  (1) 


DEPARTMENT  OF  THE  NAVY 

OFFFCE  OF  THE  ASSISTANT  SECRETARY 
{RESEARCH.  DEVELOPMENT  AND  ACQUISSTION) 

10OO  NAVY  PENTAGON 
WASHINGTON  DC  20350*1000 

October  7 ,  2009 

MEMORANDUM  FOR  DEPARTMENT  OF  DEFENSE-INSPECTOR  GENERAL 
ARLINGTON,  VIRGINIA 

S  U  6  J  ECT :  Depan  me  nr  of  Defense  I  n  s  pec  tor  Ge  ne  ral  Dra  ft  Report  In  fo rmati  on  Security 
at  the  Fleet  and  Industrial  Supply  Center,  Si  gone!  La,  Detachment  Bahrain 
(Project  No.  D2OO9-DTO0AS-0 163.000) 

The  Department  of  the  Navy  (DoN)  hereby  endorses  and  forwards  the  attached 
Special  Assistant  for  Naval  Investigative  Matters  &  Security  response  to  subject  draft 
report  for  recommendations  la  and  lb.  This  response  is  in  addition  to  the  Naval  Supply 
Systems  Command  response  provided  by  memorandum  on  6  October  2009  which 
addressed  recommendations  2a  and  2b.  Together,  these  two  responses  provide  detailed 
comments  regarding  the  findings  and  recommendations  contained  in  the  subject  draft 
report.  The  Navy's  response  should  be  incorporated  into  the  final  DODIG  report. 

If  you  have  any  questions  pertaining  to  this  memo  or  its  attachments,  please  refer 

them  lo 


Deputy  Assistant  Secretary  of  the  Navy 
(Management  and  Budget) 

Attachments: 

As  stated 


or  at 
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Final  Report 
Reference 


Special  Assistant  for  Naval  Investigative  Matters  and  Security 
COMMENTS  TO  BODIG  DRAFT  REPORT  OF  10  SEPTEMBER  2009 
ON  INFORMATION  SECURITY  AT  THE  FLEET  AND  INDUSTRIAL  SUPPLY 
CENTER ,  SIGQNELLA  DETACHMENT  BAHRAIN 
(D2 009 -D0O0AS- 0163 .000) 


Recommendations : 

1.  (FQUO)  We  recommend  that  the  Special  Assistant  for  Naval 
Investigative  Matters  and  Security: 

a.  { FQUO)  Investigate  this  potential  compromise  of 
information  and  determine  its  effect  on  national  security. 

DON  Response:  CNO  (N09N)  provides  implementing  policy  within  the 
Department  of  the  Navy.  N09N  is  not  an  operational  command.  It 
is  the  responsibility  of  the  cognisant  command  to  conduct  the 
investigation  into  the  potential  compromise  of  classified 
material  and  determine  its  effect  on  national  security,  not  CNO 
(N09N) .  Additionally,  any  damage  assessment  is  to  be  conducted 
by  the  Original  Classification  Authority  vice  CNO  (NQ9N) , 

b.  (FQUO)  Determine  why  the  Chief  of  Naval  Operations 
memoranda  were  incorrectly  marked  and  initiate  corrective 
actions, 

DON  Response:  CNO  (N09N)  concurs  with  the  finding  that  the 
documents  were  incorrectly  marked  however,  upon  receipt  of  the 
Preliminary  Inquiry  from  the  cognizant  command,  the  originators 
are  obligated  to  initiate  corrective  actions.  We  conducted  a 
preliminary  review  of  the  documents  in  question  that  were 
provided  by  DOD  IG  and  it  is  our  assertion  they  were  declassified 
as  soon  as  notification  of  host  nation  was  made  in  September 
2  005. 

Additional  Comments : 

We  have,  as  recently  as  7  May  2009,  generated  interim 
guidance  to  all  Department  of  the  Navy  commands  regarding  the 
proper  marking  of  classified  documents  and  instructed  them  to 
conducted  a  random  sampling  of  originally  and  derivatively 
generated  documents.  The  proper  marking  of  classified  documents, 
to  include  email,  is  emphasized  during  our  annual  Security 
Manager's  Seminar, 

The  recommended  findings  should  be  redirected  to  the  Fleet 
and  Industrial  Supply  Center,  Sigonella  Detachment  Bahrain  with 
oversight  by  Headquarters,  Naval  Supply  Systems  Command. 


Enclosure  (i) 


Revised, 
Redirected,  and 
Renumbered 
Recommendation 
as  2.c. 


Revised 
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